audit: type=1804 audit(1657586512.958:11): pid=9535 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir284763131/syzkaller.QVech4/2/file0" dev="sda1" ino=13930 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.14.287-syzkaller #0 Not tainted ------------------------------------------------------ kworker/0:1/25 is trying to acquire lock: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] (&sb->s_type->i_mutex_key#21){+.+.}, at: [] __generic_file_fsync+0x9e/0x190 fs/libfs.c:989 but task is already holding lock: ((&dio->complete_work)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 ((&dio->complete_work)){+.+.}: process_one_work+0x736/0x14a0 kernel/workqueue.c:2093 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #1 ("dio/%s"sb->s_id){+.+.}: flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624 do_blockdev_direct_IO fs/direct-io.c:1287 [inline] __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423 blockdev_direct_IO include/linux/fs.h:2994 [inline] fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] aio_write+0x2ed/0x560 fs/aio.c:1553 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0x847/0x1570 fs/aio.c:1709 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&sb->s_type->i_mutex_key#21){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_write+0x34/0x90 kernel/locking/rwsem.c:54 inode_lock include/linux/fs.h:719 [inline] __generic_file_fsync+0x9e/0x190 fs/libfs.c:989 fat_file_fsync+0x73/0x1f0 fs/fat/file.c:165 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] dio_complete+0x561/0x8d0 fs/direct-io.c:330 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#21 --> "dio/%s"sb->s_id --> (&dio->complete_work) Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((&dio->complete_work)); lock("dio/%s"sb->s_id); lock((&dio->complete_work)); lock(&sb->s_type->i_mutex_key#21); *** DEADLOCK *** 2 locks held by kworker/0:1/25: #0: ("dio/%s"sb->s_id){+.+.}, at: [] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088 #1: ((&dio->complete_work)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092 stack backtrace: CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.14.287-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Workqueue: dio/loop2 dio_aio_complete_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_write+0x34/0x90 kernel/locking/rwsem.c:54 inode_lock include/linux/fs.h:719 [inline] __generic_file_fsync+0x9e/0x190 fs/libfs.c:989 fat_file_fsync+0x73/0x1f0 fs/fat/file.c:165 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] dio_complete+0x561/0x8d0 fs/direct-io.c:330 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 audit: type=1800 audit(1657586514.048:12): pid=9568 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=13938 res=0 audit: type=1804 audit(1657586514.078:13): pid=9568 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir284763131/syzkaller.QVech4/3/file0" dev="sda1" ino=13938 res=1 audit: type=1800 audit(1657586514.358:14): pid=9581 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13906 res=0 audit: type=1804 audit(1657586514.358:15): pid=9581 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir2528944061/syzkaller.qjU440/4/file0" dev="sda1" ino=13906 res=1 audit: type=1800 audit(1657586514.979:16): pid=9622 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=13908 res=0 audit: type=1804 audit(1657586514.989:17): pid=9622 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir284763131/syzkaller.QVech4/4/file0" dev="sda1" ino=13908 res=1 audit: type=1800 audit(1657586515.409:18): pid=9637 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13934 res=0 audit: type=1804 audit(1657586515.409:19): pid=9637 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir2528944061/syzkaller.qjU440/5/file0" dev="sda1" ino=13934 res=1 ISO 9660 Extensions: Microsoft Joliet Level 0 L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. kauditd_printk_skb: 2 callbacks suppressed audit: type=1800 audit(1657586517.259:22): pid=9688 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13947 res=0 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 audit: type=1804 audit(1657586517.479:23): pid=9688 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir2528944061/syzkaller.qjU440/6/file0" dev="sda1" ino=13947 res=1 netlink: 116 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1800 audit(1657586519.429:24): pid=9719 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=13956 res=0 Zero length message leads to an empty skb audit: type=1804 audit(1657586519.909:25): pid=9716 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir284763131/syzkaller.QVech4/6/file0" dev="sda1" ino=13956 res=1 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 ISO 9660 Extensions: Microsoft Joliet Level 0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. team0: Port device team_slave_1 removed netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. device hsr_slave_1 left promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.